Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

The post New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict appeared first on Security Affairs.

US health services company Independent Living Systems (ILS) discloses a data breach that impacted more than 4 million individuals.

US health services company Independent Living Systems (ILS) disclosed a data breach that exposed personal and medical information for more than 4 million individuals.

Independent Living Systems, offers a comprehensive range of turnkey payer services including clinical and third-party administrative services to managed care organizations and providers.

ILS provides assistance beyond the clinical realm at every stage of care from hospitalization to the treatment of chronic illnesses to personalized care management including nutritional support.

The company provides its services to over 4.2 million individuals.

“On July 5, 2022, we experienced an incident involving the inaccessibility of certain computer systems on our network. We responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, we learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022.” reads the Notice of Data breach published by the company. “During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.“

The security breach was discovered on July 5, 2022, when some of the systems at the company became inaccessible. This circumstance suggests that the systems were infected with ransomware. The company launched an investigation into the incident with the support of external cybersecurity experts. The investigation revealed that between June 30 and July 5, threat actors had access to certain systems.

The notice of data breach states that the types of impacted information varies by individual and could have included, name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.

The company is notifying the impacted individuals via letters.

ILS also informed the relevant authorities, including the Maine Attorney General’s office, which reported that the data breach impacted 4,226,508 individuals. The Maine Attorney General’s office reported that the data breach occurred on June 3, 2022.

The company offers, for free, to the impacted individuals 12 months, Experian, credit monitoring and restoration services.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Independent Living Systems)

The post Independent Living Systems data breach impacts more than 4M individuals appeared first on Security Affairs.

Baphomet, the current administrator of BreachForums, announced that the popular hacking forum has been officially taken down.

U.S. law enforcement arrested last week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused to be the owner of the popular hacking forum BreachForums. 

The news of the arrest was first reported by Bloomberg, which reported that federal agents arrested Conor Brian Fitzpatrick from Peekskill, New York.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET.

pompompurin always confirmed that he was ‘not affiliated with RaidForums in any capacity,’

The law enforcement authorities have yet to shut down the website, while another admin of the forum that goes online with the alias “Baphomet” announced that he is taking the control of the platform.

Baphomet initially added that he believes that the feds haven’t had access to the infrastructure.

On March 21, 2023, Baphomet, which is the current administrator of BreachForums, announced that the hacking forum has been officially taken down.

The decision to shut down the forum is the response of the administrator to the increasing pressure by law enforcement. He likely suspected that the feds have gained access to the site’s components taking over it.

Baphomet also added that “it’s not the end” of the forums, he is likely planning to launch a new platform in the future.

“Hello everyone. Please consider this the final update for Breached. I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is. I want to make it clear, that while this initial announcement is not positive, it’s not the end. I’m going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.” reads the last message published by Baphomet. “As stated in the attached message please give me 24 hours to get some rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere. Please see my final confirmation of this here: http://baph.is/finalupdate.txt.asc“

We cannot exclude that Baphomet can launch a new platform or work with competitor marketplaces.

“Interestingly, he stated that the Telegram channel would maintain operation and that he was looking to create new infrastructure which would replace BreachForum even working with competitor marketplaces. As of writing, the onion site has been taken down and is unreachable.” reported Darkowl.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

The post BreachForums current Admin Baphomet shuts down BreachForums appeared first on Security Affairs.

The European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report for the transport sector.

A new report published by the European Union Agency for Cybersecurity (ENISA) analyzes threats and incidents in the transport sector. The report covers incidents in aviation, maritime, railway, and road transport industries between January 2021 and October 2022.

The report provides a detailed analysis of the prime threats to the transport sector, the threat actors and related motivations.

During the period covered by the report, the expert identified the following prime threats:

• ransomware attacks (38%),
• data related threats (30%),
• malware (17%),
• denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks (16%),
• phishing / spear phishing (10%),
• supply-chain attacks (10%).

During the reporting period, ransomware was the most prominent threat against the sector in 2022. The researchers pointed out that the ransomware attacks doubled compared to the previous year. Threat actors behind ransomware attacks are not exclusively financially-motivated.

Nation-state actors, cybercriminals, and hacktivists, are the threat actors with the biggest impact on the organizations in the sector.

Most of the attacks on the transport sector (54%) are carried out by cybercriminals.

The report warns that hacktivist activity targeting the transport sector, including DDoS attacks, is likely to continue. Airports, railways and transport authorities are privileged targets of hacktivists.

The good news is that ENISA experts did not receive reliable information on a cyberattack affecting the safety of transport.

The researchers also warn that future Ransomware attacks will likely target and disrupt OT operations.

“The majority of attacks on the transport sector target information technology (IT) systems. Operational
disruptions can occur as a consequence of these attacks, but the operational technology (OT) systems are
rarely being targeted.” states the report. “Ransomware groups will likely target and disrupt OT operations in the foreseeable future.”

The aviation sector is facing multiple threats, with ransomware and malware attacks and data-related threats being the most prominent threats. Experts warn of the number of ransomware
attacks targeting airports and rogue websites impersonating airlines used by scammers in 2022.

“Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.” said Juhan Lepassaar, EU Agency for Cybersecurity Executive Director.

Let me suggest the reading of the report that is available here:

https://www.enisa.europa.eu/publications/enisa-transport-threat-landscape

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, transport sector)

The post ENISA: Ransomware became a prominent threat against the transport sector in 2022 appeared first on Security Affairs.

Cisco Talos researchers published PoC exploits for vulnerabilities in Netgear Orbi 750 series router and extender satellites.

Netgear Orbi is a line of mesh Wi-Fi systems designed to provide high-speed, reliable Wi-Fi coverage throughout a home or business. The Orbi system consists of a main router and one or more satellite units that work together to create a seamless Wi-Fi network that can cover a large area with consistent, high-speed Wi-Fi.

One of the key benefits of the Orbi system is its use of mesh networking technology, which allows the satellite units to communicate with the main router and with each other to provide strong Wi-Fi coverage throughout the home or business.

Cisco worked with Netgeat to solve the issues and is disclosing them according to its 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Cisco Talos researchers published Proof-of-concept (PoC) exploits for multiple vulnerabilities in Netgear’s Orbi 750 series router and extender satellites.

The experts discovered four vulnerabilities in the Netgear Orbi mesh wireless system, the most critical one is a critical remote code vulnerability, tracked as CVE-2022-37337 (CVSS v3.1: 9.1), that resides in the access control functionality of the Netgear Orbi router.

“A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5.” states Talos. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”

A threat actor can exploit the flaw by sending a specially crafted HTTP request.

“Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.” reads the advisory published by Cisco Talos.

Cisco published a Proof of Concept exploit for this issue:

Below is the timeline for this issue that was reported by Dave McDaniel of Cisco Talos:

2022-08-30 – Initial Vendor Contact
2022-09-05 – Vendor Disclosure
2023-01-19 – Vendor Patch Release
2023-03-21 – Public Release

Another two issues discovered by the researchers are respectively tracked TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429). The flaws impacts the main Orbi router, their exploitation can lead to arbitrary command execution if the attacker sends a specially crafted network request or JSON object, respectively.

The last flaw discovered by Talos is tracked as TALOS-2022-1598 (CVE-2022-38458), an attacker can exploit these flaws to carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Netgear addressed the flaws with the release of the firmware version 4.6.14.3 on January 19, 2023.

The security firm is not aware of attacks in the wild exploiting these flaws.

“Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.” concludes the advisory.

The company also released Snort rules (60474 – 60477 and 60499) to detect exploitation attempts against this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear Orbi)

The post Experts released PoC exploits for severe flaws in Netgear Orbi routers appeared first on Security Affairs.

A tainted version of the legitimate ChatGPT extension for Chrome, designed to steal Facebook accounts, has thousands of downloads.

Guardio’s security team uncovered a new variant of a malicious Chat-GPT Chrome Extension that was already downloaded by thousands a day.

The version employed in a recent campaign is based on a legitimate open-source project, threat actors added malicious code to steal Facebook accounts.

The legitimate extension is named “ChatGPT for Google” and allows the integration of ChatGPT on search results.

The new malicious Chrome Extension is distributed since March 14, 2023, through sponsored Google search results and uploaded to the official Chrome Store. Experts noticed that it was first uploaded to the Chrome Web Store on February 14, 2023.

According to the researchers, it is able to steal Facebook session cookies and compromise accounts in masses.

“The new variant of the FakeGPT Chrome extension, titled “Chat GPT For Google”, is once again targeting your Facebook accounts under a cover of a ChatGPT integration for your Browser.” reads the post published by Guardio Labs. “This time, threat actors didn’t have to work hard on the look and feel of this malicious ChatGPT-themed extension — they just forked and edited a well-known open-source project that does exactly that. From zero to “hero” in probably less than 2 minutes.”

Netizens searching for “Chat GPT 4” because interested in testing the new algorithm of the latest version of the popular chatbot, end up clicking on a sponsored search result. The link redirects victims to a landing page offering the ChatGPT extension from the official Chrome Store. The extension will give users access to ChatGPT from the search results, but will also compromise their Facebook account.

Once the victim installed the extension, the malicious code uses the OnInstalled handler function to steal Facebook session cookies. Then attackers use stolen cookies to log in to the victim’s Facebook account and take over it.

The malicious code uses the Chrome Extension API to collect a list of cookies used by Facebook and encrypts them with the AES using the key “chatgpt4google.”

The collected cookies are sent to the attackers’ server via a GET request.

“The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value. This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload (which is why it is encrypted as well).” continues the report. “Only note that there is no X-Cached-Key Header in the HTTP protocol! There is aX-Cache-Key header (without the ‘d’) used for responses, not requests.”

Guardio researchers reported their findings to Google which quickly removed the extension from the Chrome store. At the time of removal, the malicious extension was installed by more than 9000 users.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Rogue ChatGPT extension FakeGPT hijacked Facebook accounts appeared first on Security Affairs.

Entertainment industry giant Lionsgate leaked users’ IP addresses and information about what content they watch on its movie-streaming platform, according to research from Cybernews.

Original post at https://cybernews.com/security/lionsgate-data-leak/

During their investigation, our researchers discovered that the video-streaming platform Lionsgate Play had leaked user data through an open ElasticSearch instance.

The Cybernews research team discovered an unprotected 20GB of server logs that contained nearly 30 million entries, with the oldest dated May 2022. The logs exposed subscribers’ IP addresses and user data concerning device, operating system, and web browser.

Logs also leaked the platform’s usage data, typically used for analytics and performance tracking. URLs found in logs contained titles and IDs of what content users watched on the platform, along with search queries entered by the users.

Researchers also found unidentified hashes with logged HTTP GET requests, records of requests made by clients that are usually used to get data from a web server: when these requests are made, they get stored in log files on the server.

Researchers could not determine the exact purpose or usage of the hashes. However, the hashes all containing more than 156 characters indicates they were intended to remain unchanged for long periods of time.

“Hashes didn’t match any commonly used hashing algorithms. Since these hashes were included in the HTTP requests, we believe they could have been used as secrets for authentication, or just user IDs,” said researchers.

Cybernews reached out to Lionsgate about the leak, and the company responded by closing an open instance. However, at the time of writing, it has yet to provide an official response.

Big hitter at risk

Lionsgate Entertainment Corporation, the Canadian-American entertainment company operating the platform, owns several well-known movie and TV franchises that have gained worldwide recognition, including Twilight Saga, Saw, Terminator, The Hunger Games, and The Divergent Series.

While Netflix stays at the top of all streaming platforms with over 230 million subscribers, Lionsgate has over 37 million global subscribers and generated $3.6 billion in revenue last year.

Accelerated by COVID-19, the popularity of online streaming platforms has been growing. In 2022, the subscription rates to video-on-demand platforms reached 83% in the US, showing an increase of more than 30% during eight years.

But, as the number of users on platforms increases, they are becoming a tempting target for cybercriminals. Even minor security loopholes might cause serious damage, yet security is often overlooked. The research by Cybernews is a stellar example of this tendency.

Data could aid cyberattacks

“With the growing number of new streaming services, we can see that the risk of misconfigurations and data breaches also grows,” said Cybernews researchers.

According to them, the leaked information in this particular case is not typically shared in hacker communities. Nevertheless, it is still sensitive.

“It can be useful in targeted attacks, especially when combined with other leaked or publicly available information,” researchers explained.

The combination of users’ IP addresses and device data can be exploited by malicious actors to create targeted attacks against them, delivering harmful payloads to their devices.

User agents could have provided attackers insight into what operating system or services the user is running, helping crooks to identify potential vulnerabilities that can be exploited for malicious purposes.

User agents are information about a user’s device operating system, browser, and sometimes screen resolution and size. They also help ensure that a webpage is displayed correctly on a device.

“Threat actors can cross-reference a user’s search queries and viewed content with their IP address to build a more comprehensive profile of the individual,” researchers said.

Along with usage data, threat actors can identify patterns of behaviour and potentially use this information to craft more accurate, targeted phishing attacks aimed at stealing personal information.

If you want to know about other streaming platforms affected by data leaks give a look at the original post at https://cybernews.com/security/lionsgate-data-leak/

About the author: Paulina Okunytė, Journalist at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lionsgate)

The post <strong>Lionsgate streaming platform with 37m subscribers leaks user data</strong> appeared first on Security Affairs.

On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws.

The Pwn2Own Vancouver 2023 has begun, this hacking competition has 19 entries targeting nine different targets – including two Tesla attempts.

On the first day of the event, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day vulnerabilities demonstrated by the participants.

That wraps up the first day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Model 3!) for 12 zero-days during the first day of the contest. Stay tuned for day two of the contest tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E

— Zero Day Initiative (@thezdi) March 22, 2023

The first hack of the day was performed by the AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa), who demonstrated a zero-day attack against Adobe Reader in the Enterprise Applications category. Hariri earned $50,000 and 5 Master of Pwn points.

One of the most interesting attacks was conducted by the Singapore team STAR Labs (@starlabs_sg), they successfully targeted Microsoft SharePoint in the Server category earning $100,000 and 10 Master of Pwn points.

The STAR Labs team also hacked Ubuntu Desktop with a previously known exploit earning $15,000 and 1.5 Master of Pwn points.

Bien Pham (@bienpnn) from Qrious Security (@qriousec) exploited an OOB Read and a stacked-based buffer overflow against Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.

Then the researcher Marcin Wiązowski exploited an improper input validation issue to elevate privileges on Windows 11. He earned $30,000 and 3 Master of Pwn points.

The team of the offensive security company Synacktiv (@Synacktiv) demonstrated a TOCTOU (time-of-check to time-of-use) attack against Tesla – Gateway. They earned $100,000 and 10 Master of Pwn points and a Tesla Model 3. The same team also exploited a TOCTOU bug to escalate privileges on Apple macOS earning $40,000 and 4 Master of Pwn points.

The only failed attempt of the day was of last_minute_pwnie which attempted to demonstrate an Ubuntu exploit.

The Pwn2Own Vancouver 2023 continues … stay tuned!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)

The post Pwn2Own Vancouver 2023 Day 1: Windows 11 and Tesla hacked appeared first on Security Affairs.

Dole Food Company confirmed that threat actors behind the recent ransomware attack had access to employees’ data.

Dole Food Company is an Irish agricultural multinational corporation, it is one of the world’s largest producers of fruit and vegetables, operating with 38,500 full-time and seasonal employees who supply some 300 products in 75 countries. Dole reported 2021 revenues of $6.5 billion.

In February, the company announced that it has suffered a ransomware attack that impacted its operations. At the time of the disclosure, the company did not provide details about the attack.

“Dole plc (DOLE:NYSE) announced today that the company recently experienced a cybersecurity incident that has been identified as ransomware.” reads a notice published by the company. “Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems.”

Now Dole Food Company has confirmed threat actors behind the February ransomware attack had access to the information of an undisclosed number of employees.

“We have in the past experienced, and may in the future face, cybersecurity incidents. In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information.” reads the annual report filed with the U.S. Securities and Exchange Commission (SEC). “Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.”

In February the company revealed that the attack had a limited impact on its operations.

“Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.” continues the report.

Despite the company denying a huge impact on its operations, it was forced to shut down production plants across North America.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dole Food Company)

The post Dole discloses data breach after February ransomware attack appeared first on Security Affairs.

Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications.

Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications.

The Nexus ransomware was first analyzed in early March by researchers from the threat intelligence firm Cyble.

Nexus is available via a Malware-as-a-Service (MaaS) subscription and is advertised on underground forums or through private channels (e.g., Telegram) since January 2023.

It was available for rent at a price of $3000 per month.

However, Cleafy’s Threat Intelligence & Response Team reported having detected the first Nexus infections in June 2022, months before the MaaS was publicly advertised.

Experts believe that the Nexus Trojan is early stages of development despite multiple campaigns are actively using it in the wild.

“Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception. It also provides a built-in list of injections against 450 financial applications.” reads the analysis published by Cleafy.

The authors claim that Nexus has been entirely written from scratch, but the researchers found similarities between Nexus and the SOVA banking trojan, which appeared on the threat landscape in August 2021.

Like other malware, Nexus doesn’t infect systems located in Russia and CIS countries.

The Nexus Trojan can target multiple banking and cryptocurrency in an attempt to take over customers’ accounts. It relies on overlay attacks and keylogging features to capture customers’ credentials.

The malware also supports features to bypass two-factor authentication (2FA) using both SMSs or the Google Authenticator app by abusing of Android’s accessibility services.

The Android Trojan also supports a mechanism for auto-update.

The analysis of various samples revealed that the malware is equipped with encryption capabilities which appear to be under development due to the presence of debugging strings and the lack of usage references.

“As always, the main question here is: Does it represent a threat to Android users? At the time of writing, the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.” concludes the report. “Because of that, we cannot exclude that it will be ready to take the stage in the next few months.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Nexus, an emerging Android banking Trojan targets 450 financial apps appeared first on Security Affairs.

Cisco addressed tens of vulnerabilities in its IOS and IOS XE software, six of these issues have been rated ‘high severity’.

Cisco published the March 2023 Semiannual IOS and IOS XE Software Security Advisory that addresses several vulnerabilities in IOS and IOS XE software.

Below is the list of flaws addressed by the IT giant in this bundled publication:

Cisco Security Advisory	CVE ID	Security Impact Rating	CVSS Base Score
Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability	CVE-2023-20080	High	8.6
Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability	CVE-2023-20072	High	8.6
Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability	CVE-2023-20027	High	8.6
Cisco IOS XE SD-WAN Software Command Injection Vulnerability	CVE-2023-20035	High	7.8
Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability	CVE-2023-20065	High	7.8
Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability	CVE-2023-20067	High	7.4
Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability	CVE-2023-20081	Medium	6.8
Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability	CVE-2023-20100	Medium	6.8
Cisco IOS XE Software Web UI Path Traversal Vulnerability	CVE-2023-20066	Medium	6.5
Cisco IOS XE Software Privilege Escalation Vulnerability	CVE-2023-20029	Medium	4.4

The most important severe vulnerabilities addressed by the company are:

CVE-2023-20080 (CVSS score 8.6) – Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability. An unauthenticated, remote attacker can trigger the flaw to cause DoS condition.

“This vulnerability is due to insufficient validation of data boundaries. An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly.” reads the advisory.

CVE-2023-20072 (CVSS score 8.6) – Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability. An unauthenticated, remote attacker can trigger the flaw to cause an affected system to reload, resulting in a denial of service (DoS) condition.

“This vulnerability is due to the improper handling of large fragmented tunnel protocol packets. One example of a tunnel protocol is Generic Routing Encapsulation (GRE). An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system.” reads the advisory. “A successful exploit could allow the attacker to cause the affected system to reload, resulting in a DoS condition.”

CVE-2023-20027 (CVSS score 8.6) – Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability. An unauthenticated, remote attacker can exploit this vulnerability to cause a denial of service (DoS) condition on a vulnerable device.

“This vulnerability is due to improper reassembly of large packets that occurs when VFR is enabled on either a tunnel interface or on a physical interface that is configured with a maximum transmission unit (MTU) greater than 4,615 bytes. An attacker could exploit this vulnerability by sending fragmented packets through a VFR-enabled interface on an affected device.” reads the advisory. “A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.”

Cisco also addressed an IOS XE SD-WAN software command injection vulnerability tracked as CVE-2023-20035 (CVSS Score 7.8) and an IOS XE Software IOx Application Hosting Environment privilege escalation vulnerability tracked as CVE-2023-20065 (CVSS Score 7.8).

The good news is that the company is not aware of attacks in the wild exploiting one of the flaws addressed with the release of semiannual IOS and IOS XE software security advisory bundle.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IOS XE)

The post Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software appeared first on Security Affairs.

Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software.

Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software. An unauthenticated user with access to the Veeam backup service (TCP 9401 by default) can exploit the flaw to request cleartext credentials.

A remote attacker can exploit the flaw to access the backup systems of a target organization and execute arbitrary code as ‘SYSTEM.’

“Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database.” reads the advisory published by the vendor. “This may lead to an attacker gaining access to the backup infrastructure hosts.”

The company addressed the flaw with the release of Veeam Backup & Replication build numbers:

• 12 (build 12.0.0.1420 P20230223)
• 11a (build 11.0.1.1261 P20230227)

The researchers at Horizon3’s Attack Team published technical details for this vulnerability along with a PoC exploit code.

The researchers performed reverse engineering of Veeam’s Backup Service, they focused on the port used by the Veeam backup service.

The researchers discovered that is possible to abuse an unsecured API endpoint to retrieve credentials in plaintext from the VBR configuration database.

This is made possible by the great prior research of @HuntressLabs, @Y4er_ChaBug, @codewhitesec!

— Horizon3 Attack Team (@Horizon3Attack) March 23, 2023

​“We have examined the vulnerable port, reverse engineered the Veeam Backup Service, and constructed a WCF client using .NET core. We have also shown how to extract credentials from the Veeam database by invoking the CredentialsDbScopeGetAllCreds and CredentialsDbScopeFindCredentials endpoints. Finally, we have released our POC on Github, which is built on .NET core and capable of running on Linux, making it accessible to a wider audience.” reads the analysis published by the experts. “It is important to note that this vulnerability should be taken seriously and patches should be applied as soon as possible to ensure the security of your organization.”

The researchers explained that their work is based on the “great prior research” conducted by researchers from HuntressLabs, @CODE WHITE GmbH, and Y4er_ChaBug.

Veeam Backup & Replication CVE-2023-27532 Response (By HuntressLabs)

Huntress researchers reported that on their install base composed of 2 million devices, they uncovered 7,500 hosts with a vulnerable version of the Veeam Backup & Replication service present.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Backup & Replication)

The post Experts published PoC exploit code for Veeam Backup & Replication bug appeared first on Security Affairs.

South Korean beauty content platform, PowderRoom, has leaked the personal information of nearly one million people.

• Established in 2003, PowderRoom is a South Korean beauty content platform connecting 3.5 million members and thousands of beauty brands
• It calls itself the first and the biggest beauty community in South Korea that “allows you to experience new brand products faster than anyone else and share the experience”
• It exposed up to a million users’ full names, phone numbers, emails, Instagram usernames and home addresses
• The database was publicly available for over a year
• Attackers could have exploited the data to launch phishing and device hijacking attacks, make unauthorized purchases, and stalk users
• Cybernews reached out to PowderRoom and the Korean National Computer Emergency Response Team, and the data was secured

The Cybernews research team discovered that the South Korean social platform, powderroom.co.kr – which markets itself as the nation’s biggest beauty community – was leaking the private data of a million users.

The platform exposed full names, phone numbers, emails, Instagram usernames, and even home addresses. Researchers estimate that the database was publicly available for over a year.

Backed by beauty-product manufacturers, PowderRoom has hundreds of thousands of followers on social media, and its Android app has been downloaded more than 100,000 times on Google Play.

On the platform, users can review beauty products while being encouraged to actively participate and receive perks.

Personal data leaked

On December 15, researchers found a publicly accessible database with nearly 140GB of data. Some server logs included entries containing personal information, such as names, phone numbers, and home addresses, along with metadata about user devices and browsers used to access the site. The dataset included over a million email addresses.

Among the leaked data, researchers found a million tokens used for authentication and accessing the website.

Abusing them, threat actors could hijack user accounts and purchase products on the platform using the payment methods linked with the account. Additionally, attackers could modify account details, and post comments and reviews.

Leaking home addresses and phone numbers is a cause of concern, since exposing such information might lead to in-person stalking or harassment of the users of the platform.

If you want to know how to protect yourself, give a look at the original post at: https://cybernews.com/security/powder-room-data-leak/

Update March 25, 2024

Below is the message sent by PowderRoom CEO to clarify some points:

The issue was solved on March 3rd.

1. You mentioned that our customer information cannot cause a purchase.

We don’t have card and payment information and so “unauthorized purchases” are not impossible.
2. Also, I’d like you to exclude any mention of speculative damage that can be used for crimes such as stalking.
3. There is a difference in the number of members we have.

There are about 200,000 people who have personal information and have logged in at least once.
Therefore, 1 million number might be login auth token number. so the title we hope the title “A million at risk from user data leak at Korean beauty platform gets changed

Thank you again for pointing out that we can resolve security.
We will also strengthen the security system with the cooperation of the Korean security agency.

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PowderRoom)

The post Hundreds of thousands of users at risk from data leak at Korean beauty platform PowderRoom appeared first on Security Affairs.

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities.

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities, bringing the total awarded to $850,000!

The bug hunters demonstrated zero-day attacks against the Oracle VirtualBox virtualization platform, Microsoft Teams, Tesla Model 3, and the Ubuntu Desktop OS.

The day began with the success/collision achieved by Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) from Synacktiv (@Synacktiv) demonstrating a 3-bug chain against Oracle VirtualBox with a Host EoP. The success was classified as a “collision” because one of the bugs exploited in the attack was previously known. The due earned $80,000 and 8 Master of Pwn points.

The researchers @hoangnx99, @rskvp93, and @_q5ca from Team Viettel (@vcslab) chained 2 vulnerabilities to hack Microsoft Teams. They earn $75,000 and 8 Master of Pwn points.

Of course, the most interesting attack was conducted by David Berard (@_p0ly_) and Vincent Dehors (@vdehors) from Synacktiv (@Synacktiv) who exploited a heap overflow and an OOB write to hack Tesla – Infotainment Unconfined Root. They qualify for a Tier 2 award, earning $250,000 and 25 Master of Pwn points. The team also won the Tesla Model 3 they have hacked.

The researcher dungdm (@_piers2) of Team Viettel (@vcslab) exploited an uninitialized variable and a UAF bug to hack Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.

Tanguy Dubroca (@SidewayRE) from Synacktiv was awarded $30,000 for demonstrating the exploitation of an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop. They earn $30,000 and 3 Master of Pwn points.

“That wraps up Day 2 of Pwn2Own Vancouver 2023! We awarded $475,000 for 10 unique zero-days during the second day of the contest. We’ll continue posting results and videos to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.” concludes the post published ZDI.

On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws.

The Pwn2Own Vancouver 2023 continues … stay tuned!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)

The post Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked appeared first on Security Affairs.

A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites.

On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2.

The WooCommerce Payments plugin is a fully integrated payment solution for the WooCommerce open source e-commerce platform, the plugin is developed by Automattic. WooCommerce Payments is installed on over 500,000 sites.

The researchers analyzed the patch and determined that the development team behind the plugin has removed a portion of code that could have allowed an unauthenticated attacker to impersonate an administrator and completely take over a WordPress website without any user interaction.

The vulnerability impacts plugin versions 4.8.0 through 5.6.1, it was first discovered by Michael Mazzolini from penetration testing firm GoldNetwork.

“We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium, Wordfence Care, and Wordfence Response customers.” reads the advisory published by Wordfence.

“Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately.”

According to the analysis conducted by the WordPress security firm Sucuri, the vulnerability resides in a PHP file called “class-platform-checkout-session.php.”

Automattic is issuing automatic/forced updates of all WordPress websites using its plugin.

WooCommerce recommends admins of websites using the plugin to:

1. Update woocommerce-payments to version 5.6.2 immediately
2. Change all administrator passwords
3. Rotate your payment gateway and WooCommerce API keys

The good news is that there is no evidence that the vulnerability has been actively exploited in the wild, however, experts warn that threat actors could use it very soon.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post Critical flaw in WooCommerce Payments plugin allows site takeover appeared first on Security Affairs.

Clop ransomware gang added the City of Toronto to the list of its victims, it is another organization compromised by exploiting GoAnywhere zero-day.

Clop ransomware gang added the City of Toronto to the list of victims published on its Tor leak site. The City was targeted as part of a campaign exploiting the recently disclosed zero-day vulnerability in the Fortra’s GoAnywhere secure file transfer tool.

The gang is very active and recently it claimed to have breached tens of large organizations, including Rubrik, Onex, Axis, Bank, Rio Tinto, Hitachi Energy, and Virgin Group, as reported by the security expert Dominic Alvieri.

One of the top cybersecurity stories of the year is unfolded with CL0P^_- going everywhere.

39 posts today, 72 for the week to date, 58 left roughly.

Rubrik
Onex
Axis Bank
Rio Tinto
Investissement Québec
Hitachi Energy
Sans Fifth Avenue
Procter and Gamble
Pension Protection… pic.twitter.com/XeXFnQRRbc

— Dominic Alvieri (@AlvieriD) March 23, 2023

The news of the hack was also confirmed by BleepingComputer which reached a spokesperson for the City of Toronto. The City government launched an investigation into the incident to determine the extent of the security breach.

“Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system.” a City spokesperson told BleepingComputer.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, City of Toronto)

The post City of Toronto is one of the victims hacked by Clop gang using GoAnywhere zero-day appeared first on Security Affairs.

Researchers reported that China-linked hackers targeted telecommunication providers in the Middle East in the first quarter of 2023.

In the first quarter of 2023, SentinelLabs researchers spotted the initial phases of attacks against telecommunication providers in the Middle East.

According to the researchers, the activity is part of the Operation Soft Cell that was first reported in June 2019 by Cybereason.

At the time, researchers at Cybereason uncovered the long-running espionage campaign tracked as Operation Soft Cell. Threat actors were targeting telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.

Once compromised the networks of telecommunication companies, the attackers aimed at accessing mobile phone users’ call data records.

SentinelLabs linked the recent attacks to a China-linked cyberespionage group in the nexus of Gallium and APT41, but the exact grouping has yet to be determined.

The threat actors employed a new dropper mechanism which is evidence of an ongoing development effort by a highly-motivated threat actor.

“In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign.” reads the report published by SentinelLabs. “The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.”

The threat actors used a custom credential theft malware, tracked as mim221, that implemented a series of Mimikatz modifications on closed-source tooling.

The researchers believe that mim221 is a recent version of an actively maintained credential theft malware that was enhanced by implementing new anti-detection features.

“The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth.” reads the analysis published by SentinelLabs. “These techniques include

• in-memory mapping of malicious images to evade EDR API hooks and file-based detections
• surgically terminating Event Log threads instead of the host process to inhibit logging without raising suspicions
• staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

The experts observed command execution through webshells on compromised Microsoft Exchange server deployments as initial attack indicators.

“It is worth noting that the attackers’ activities at one of the targets suggested previous knowledge of the environment. We had observed activity at the same target a few months prior, which we attributed to Gallium primarily based on the use of the group’s PingPull backdoor and TTPs.” concludes the report. “Our analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, telecommunication providers)

The post China-linked hackers target telecommunication providers in the Middle East appeared first on Security Affairs.

The US Cybersecurity and Infrastructure Security Agency (CISA) announced the Pre-Ransomware Notifications service to help organizations stop ransomware attacks before damage occurs.

The US Cybersecurity and Infrastructure Security Agency announced a new Pre-Ransomware Notification initiative that aims at alerting organizations of early-stage ransomware attacks.

The principle behind the initiative is simple, ransomware actors initially gain access to the target organization, then they take some time before stealing or encrypting data. The time-lapse between initial access to a network and the encryption of the systems can last from hours to days.

Being able to notify the victims in this time window can help them to limit the damages caused by the ransomware attack.

“This window gives us time to warn organizations that ransomware actors have gained initial access to their networks.” reads the announcement made by the Us agency. “These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom. Early warning notifications can significantly reduce potential loss of data, impact on operations, financial ramifications, and other detrimental consequences of ransomware deployment.”

The CISA Joint Cyber Defense Collaborative (JCDC) collects information about potential early-stage ransomware activity from multiple sources, including the research community, infrastructure providers, and cyber threat intelligence firms.

Then the field personnel across the country notify the victim organization and provide specific mitigation guidance. The agency will also provide notification to organizations outside of the United States through its international CERT partners.

Since the start of 2023, CISA notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential early-stage ransomware attacks. It was a success bacause many of the alerted organizations remediated the attack before encryption or exfiltration took place.

“Continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector.” concludes the announcement. “To enable the broader cyber community to benefit from valuable threat intelligence, we urge organizations to report observed activity, including ransomware indicators of compromise and TTPs, to CISA or our federal law enforcement partners, including the FBI and the U.S. Secret Service.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA announced the Pre-Ransomware Notifications initiative appeared first on Security Affairs.

On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.

Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000 and a Tesla Model 3. The team Synacktiv (@Synacktiv) (Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert) won the competition, they earned 53 points, $530,000, and a Tesla Model 3.

On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.

The day began with the hack of Ubuntu Desktop by Kyle Zeng from ASU SEFCOM, he used a double-free bug and earned $30,000 and 3 Master of Pwn points.

Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) used a UAF against Microsoft Windows 11. They earn $30,000 and 3 Master of Pwn points.

The researchers Mingi Cho of Theori used a UAF against Ubuntu Desktop, the team earned $30,000 and 3 Master of Pwn points.

The STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF to hack the VMWare Workstation virtualization software. They earned $80,000 and 8 Master of Pwn points. The STAR Labs team also attempted to demonstrate an exploit against Microsoft Teams, but failed to do it within the time allotted.

Bien Pham (@bienpnn) from Qrious Security successfully targeted Ubuntu Desktop, but used a known exploit, for this reason, the attempt was classified as “Collision”. The team earned $15,000 and 1.5 Master of Pwn points.

“That’s a wrap for Pwn2Own Vancouver! Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.” reads the wrap for the hacking competition that was published by The Zero Day Initiative.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)

The post Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days appeared first on Security Affairs.

The U.K. National Crime Agency (NCA) revealed that it has set up a number of fake DDoS-for-hire sites to infiltrate the online criminal underground.

The UK National Crime Agency announced it has infiltrated the online criminal marketplace by setting up several sites purporting to offer DDoS-for-hire services.

DDoS-for-hire or ‘booter’ services allows registered users to launch order DDoS attacks without specific knowledge.

While the NCA-run sites were up and running, they have been accessed by several thousand people, whose registration data were obtained by the investigators. The UK authorities will contact registered users that are based in the UK and warn them about engaging in cyber crime. Information relating users that are based overseas is being passed to international law enforcement.

“All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks,” reads the announcement. “However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators.”

The activity is part of a coordinated international operation named Operation Power Off that is targeting DDoS-for-hire infrastructures worldwide.

In December, the U.S. Department of Justice (DoJ) seized 48 domains associated with the DDoS-for-Hire Service platforms (aka Booter services) used by threat actors. The websites seized by the feds were used to launch millions of actual or attempted DDoS attacks targeting victims worldwide.

“Booter services are a key enabler of cyber crime.” said Alan Merrett from the NCA’s National Cyber Crime Unit. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease.”

“Traditional site takedowns and arrests are key components of law enforcement’s response to this threat. However, we have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS-for-hire)

The post NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites appeared first on Security Affairs.

Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyber attack with the help of the FBI and US CISA.

The Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyberattack that last week hit the agency. The agency quickly activated the incident response procedure after the attack.

The attack was disclosed on March 19, and threat actors had access to customer and employee information. The agency is going to notify impacted customers and employees via breach notification letters.

The agency pointed out that operations at the critical infrastructure managed by the agency in Puerto Rico were not impacted.

“It should be noted that once the incident was detected and from the first moment we have been working with the relevant authorities, the FBI and CISA [Cybersecurity and Infrastructure Security Agency], specifically,” said Nannette Martínez, executive director of the Puerto Rico Aqueduct and Sewer Authority’s (PRASA) office of innovation and technology.

At this time, the agency has yet to reveal the name of the group behind the attack, but the Vice Society ransomware gang added the authority to the list of victims on its Tor leak site. The ransomware gang leaked the passports, driver’s licenses and other documents of the impacted individuals.

Executive president Doriel Pagán only said that the attack was perpetrated by a “criminal organization [that] has already been identified at the national level.”

“Because this is an ongoing investigation, we are unable to comment further. However, we assure all our clients that the services offered by the Authority are still valid and we continue working to provide a quality and efficient service,” Pagán said.

The agency recommends customers to change their passwords.

In early March, the Biden administration announced that it will make it mandatory for the states to conduct cybersecurity audits of public water systems.

Water systems are critical infrastructures that are increasingly exposed to the risk of cyberattacks by both cybercriminal organizations and nation-state actors, the US Environmental Protection Agency reported.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, as reported by the Associated Press. “Cyberattacks have the potential to contaminate drinking water.”

According to government officials, recent audits show that the lack of proper defense, mainly on the operational technology deployed in water systems. In many cases, they lack cybersecurity practices and rely on voluntary measures with poor progress.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Puerto Rico Aqueduct and Sewer Authority (PRASA))

The post Vice Society claims attack on Puerto Rico Aqueduct and Sewer Authority appeared first on Security Affairs.

Microsoft is warning of cyber attacks exploiting a recently patched Outlook vulnerability tracked as CVE-2023-23397 (CVSS score: 9.8).

Microsoft published guidance for investigating attacks exploiting recently patched Outlook vulnerability tracked as CVE-2023-23397.

The flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

A remote, unauthenticated attacker can exploit the flaw to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail to an affected system.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.” reads the advisory published by Microsoft. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

The vulnerability was reported by the CERT-UA and the Microsoft Incident Response, Microsoft Threat Intelligence (MSTI), suggesting that it has been exploited by a nation-state actor.

Microsoft addressed the flaw as part of its Patch Tuesday updates for March 2023.

The guidance published by Microsoft includes details about the attacks using the vulnerability. The following diagram shows attackers gaining initial access using a Net-NTLMv2 Relay attack, then maintaining persistence via modifying mailbox folder permissions, and performing lateral movement by sending additional malicious messages.

In the following attack scenario, threat actors used the compromised email account to extend their access within the compromised environment by targeting other members of the same organization.

“While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity.” concludes the guidance. “Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability. “In this document, Microsoft Incident Response has highlighted threat hunting techniques and strategy for exploitation of this CVE, alongside some hunting techniques for observed post-exploitation threat actor behaviors. Furthermore, a broad threat hunting for anomalous user activity consistent with credential compromise is advised.”

The guidance also includes indicators of attack for this campaign.

Researchers from threat intelligence firm Mandiant also reported having observed an activity related to a months-long cyberespionage campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-23397)

The post Microsoft shares guidance for investigating attacks exploiting CVE-2023-23397 appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites

Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days

CISA announced the Pre-Ransomware Notifications initiative

China-linked hackers target telecommunication providers in the Middle East

City of Toronto is one of the victims hacked by Clop gang using GoAnywhere zero-day

Critical flaw in WooCommerce Payments plugin allows site takeover

Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked

Experts published PoC exploit code for Veeam Backup & Replication bug Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software

Nexus, an emerging Android banking Trojan targets 450 financial apps

Dole discloses data breach after February ransomware attack

Pwn2Own Vancouver 2023 Day 1: Windows 11 and Tesla hacked

Lionsgate streaming platform with 37m subscribers leaks user data

Rogue ChatGPT extension FakeGPT hijacked Facebook accounts

Experts released PoC exploits for severe flaws in Netgear Orbi routers

ENISA: Ransomware became a prominent threat against the transport sector in 2022

BreachForums current Admin Baphomet shuts down BreachForums

Independent Living Systems data breach impacts more than 4M individuals New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict

New ShellBot bot targets poorly managed Linux SSH Servers

2022 Zero-Day exploitation continues at a worrisome pace

Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group

Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs

Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

Threat actors abuse Adobe Acrobat Sign to distribute RedLine info-stealer

Emotet is back after a three-month hiatus

Play ransomware gang hit Dutch shipping firm Royal Dirkzwager Lowe’s Market chain leaves client data up for grabs

NBA is warning fans of a data breach after a third-party newsletter service hack

International Press

Cybercrime

[Developing] BreachForums’ Alleged Admin Pompompurin Arrested, Dark Web Reacts

Largest telecom in Guam starts restoring services after cyberattack

Dole Says Employee Information Compromised in Ransomware Attack    

NCA infiltrates cyber crime market with disguised DDoS sites   

DOJ says ‘millions’ of US citizens victimized by BreachForums administrator

FBI, CISA investigating cyberattack on Puerto Rico’s water authority  

Hacking

(Ab)using Adobe Acrobat Sign to distribute malware   

Exploiting aCropalypse: Recovering Truncated PNGs

External Trusts Are Evil   

Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution 

MojoBox: Yet-Another Not-So-SmartLock

PWN2OWN VANCOUVER 2023 – DAY THREE RESULTS  

Malware

Emotet adopts Microsoft OneNote attachments

ShellBot Malware Being Distributed to Linux SSH Servers  

“FakeGPT” #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension   

Nexus: a new Android botnet?  

Building a Custom Mach-O Memory Loader for macOS – Part 1

Intelligence and Information Warfare

Bad magic: new APT found in the area of Russo-Ukrainian conflict   

German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics

Notorious SideCopy APT group sets sights on India’s DRDO  

Operation Tainted Love | Chinese APTs Target Telcos in New Attacks   

Cybersecurity

Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace  

UK issues strategy to protect National Health Service from cyberattacks 

Understanding Cyber Threats in Transport

Lineup set for House talks on Section 702 surveillance law

Veeam Backup and Replication CVE-2023-27532 Deep Dive  

Critical Vulnerability Discovered in WooCommerce Payments

Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs   

Russia’s Rostec allegedly can de-anonymize Telegram users

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Security Affairs newsletter Round 412 by Pierluigi Paganini – International edition appeared first on Security Affairs.

OpenAI revealed that a Redis bug was the root cause of the recent exposure of users’ personal information and chat titles in ChatGPT service.

On Friday, OpenAI revealed that the recent exposure of users’ personal information and chat titles in its chatbot service was caused by a bug in the Redis open-source library.

On March 20, 2023, several ChatGPT users started reporting seeing conversation histories of other users appearing in their accounts.

The same day, the history function showed the error message “Unable to load history,” and the chatbot service was temporarily interrupted. Below is the message published by OpenAI CEO Sam Altman.

we had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just finished validating.

a small percentage of users were able to see the titles of other users’ conversation history.

we feel awful about this.

— Sam Altman (@sama) March 22, 2023

 The company identified the bug and quickly addressed it.

“We took ChatGPT offline earlier this week due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time.” reads an update published by the company.

The company investigated the impact of the issue and discovered that it may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. The company pointed out that the issue did not disclose financial information.

“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.” continues the update.

The expert discovered that the bug was present in the Redis client open-source library, redis-py. The service uses Redis to cache user information in its server. 

OpenAI use the redis-py library to interface with Redis from its Python server, which runs with Asyncio. 

The library uses a shared pool of connections between the server and the cluster, the company states that it recycles a connection to be used for another request once done.

“When using Asyncio, requests and responses with redis-py behave as two queues: the caller pushes a request onto the incoming queue, and will pop a response from the outgoing queue, and then return the connection to the pool.” continues the update. “If a request is canceled after the request is pushed onto the incoming queue, but before the response popped from the outgoing queue, we see our bug: the connection thus becomes corrupted and the next response that’s dequeued for an unrelated request can receive data left behind in the connection.” 

The company explained that only in some cases, the corrupted data match the data type the requester was expecting. In this scenario, the responses provided by the chatbot service using the cache appear valid, even if it belongs to another user.

On March 20, the company accidentally introduced a change to its server causing a spike in Redis request cancellations. In this case, for each connection, there was the possibility to receive data belonging to other users.

The company notified impacted users and also implemented redundant checks to ensure the data returned by our Redis cache matches the requesting user.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Redis)

The post OpenAI: A Redis bug caused a recent ChatGPT data exposure incident appeared first on Security Affairs.